To change the default certificate template NDES is using, it is necessary to change some Windows registry values. Looks like there is no GUI tool from Microsoft for this available. The procedure for changing these values is given by Microsoft ,. To do so, open the registry editor and navigate to:
HKEY_LOCAL_MACHINE -> SOFTWARE -> Microsoft -> Cryptography -> MSCEP
Under this node, the registry values can be found. By default, the certificate template used by NDES is IPSECIntermediateOffline.
I`ll now use my AfariaUser certificate I created in an earlier blog (you can find it on my site). To change this and to make use of the new AfariaUser certificate, edit all three entries.
Afterwards, the registry key looks like this:
To make the new templates effective for new requests, restart IIS (or the CA too, or the whole computer).
The creation of a certificate template is a basic administration task for a CA admin. To create a new template, open the CA management console and manage the available certificate templates
Next, select a base template and duplicate it. The new template will be based on this template and inherit some if its properties. It is a good idea to take the User template as a basis for certificates requested by Afaria via SCEP.
Select for which CA type this template is going to be generated and later on used. You should go for at least Windows Server 2008.
Now you can fill in the information of your certificate template. This information will be used by the CA to create the final certificate, requested by Afaria. Make sure to include all you need and to configure it accordingly to your requirements.
After clicking OK, the new certificate template is listed in the available templates of your CA. Please be aware that with this, the new certificate template is only available for the CA, it is not added to the list of templates actually used by the CA. You can have several CA`s in your organization and while the administrator add new templates for the whole organization, only selected certificates may be used by certain CAs. You can have a CA that is only issuing user certificates, while another CA only issues device certificates.
To make the template available to your CA, add the template to the list of available templates to issue for your CA.
Select it from the list.
Congratulations. Now your new certificate template is available to your CA and new certificates based on this template can be issued to clients.
Let the world know